?
Solved

ASA 5520 xlate

Posted on 2008-10-06
15
Medium Priority
?
2,657 Views
Last Modified: 2013-12-23
I'm replacing an old 2651 with a ASA 5520 with 8.0(3). I'm new at this, but have pieced it together so that it seems to work and test out OK; however, once I place it on my network most users experience symptoms of congestion. If I do a clear xlate it will clear up for a minute or so. Below is the config and output of some commands with only a few clients on--not when the entire network is behind it.

The ASA goes to a Packeteer 7500>Bluecoat Proxy>L3 4503 switch. Proxy and Packeteer are transparent--just for filtering and shaping.



:
ASA Version 8.0(3) 
!
hostname XYZABC
domain-name AAA
enable password X1ukmNQg/PUDAkLR encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xx.xxx.xx.93 255.255.255.240 
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.240 
!
interface GigabitEthernet0/2.110
 description Main Office Interface
 vlan 11
 nameif Main
 security-level 100
 ip address 10.6.0.3 255.255.255.224 
!
interface GigabitEthernet0/2.120
 description CW Interface
 vlan 12
 nameif CW
 security-level 100
 ip address 10.6.0.35 255.255.255.240 
!
interface GigabitEthernet0/2.130
 description HN Interface
 vlan 13
 nameif HN
 security-level 100
 ip address 10.6.1.3 255.255.255.248 
!
interface GigabitEthernet0/2.140
 description TMDE Interface
 vlan 14
 nameif TMDE
 security-level 100
 ip address 10.6.3.3 255.255.255.240 
!
interface GigabitEthernet0/2.200
 description Standard Interface
 vlan 2
 nameif Standard
 security-level 100
 ip address 10.1.0.3 255.255.128.0 
!
interface GigabitEthernet0/2.300
 description VOIP Interface
 vlan 3
 nameif VOIP
 security-level 100
 ip address 10.4.0.3 255.255.128.0 
!
interface GigabitEthernet0/2.500
 description Corporate Interface
 vlan 5
 nameif Corporate
 security-level 100
 ip address 10.3.0.3 255.255.240.0 
!
interface GigabitEthernet0/2.600
 description Equipment Interface
 vlan 6
 nameif Equipment
 security-level 100
 ip address 10.5.0.3 255.255.252.0 
!
interface GigabitEthernet0/2.700
 description Staff Interface
 vlan 7
 nameif Staff
 security-level 100
 ip address 10.6.2.3 255.255.255.192 
!
interface GigabitEthernet0/3
 description DMZ Interface
 nameif DMZ
 security-level 40
 ip address 10.10.10.1 255.255.255.240 
!
interface Management0/0
 nameif MGT
 security-level 100
 ip address 172.16.0.1 255.255.255.240 
 management-only
!
passwd 0jESGTKLXB.nb7sY encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name aaa
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat_outbound extended permit ip host 10.0.0.9 10.10.10.0 255.255.255.240 
pager lines 24
logging enable
logging asdm informational
mtu MGT 1500
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu Standard 1500
mtu VOIP 1500
mtu Corporate 1500
mtu Equipment 1500
mtu Staff 1500
mtu Main 1500
mtu CW 1500
mtu HN 1500
mtu TMDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 77.246.72.87 netmask 255.0.0.0
global (outside) 101 77.246.72.88 netmask 255.0.0.0
global (outside) 101 77.246.72.85 netmask 255.0.0.0
global (outside) 101 77.246.72.86 netmask 255.0.0.0
global (outside) 101 77.246.72.89 netmask 255.0.0.0
global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0
nat (inside) 202 access-list inside_nat_outbound
nat (inside) 101 10.6.1.0 255.255.255.248
nat (inside) 101 10.6.0.32 255.255.255.240
nat (inside) 101 10.6.3.0 255.255.255.240
nat (inside) 101 10.6.0.0 255.255.255.224
nat (inside) 101 10.6.2.0 255.255.255.192
nat (inside) 101 10.5.0.0 255.255.252.0
nat (inside) 101 10.3.0.0 255.255.240.0
nat (inside) 101 10.1.0.0 255.255.128.0
static (DMZ,outside) 77.246.72.90 10.10.10.6 netmask 255.255.255.255 
static (DMZ,outside) 77.246.72.83 10.10.10.5 netmask 255.255.255.255 
static (DMZ,outside) 77.246.72.84 10.10.10.3 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 77.246.72.81 1
route inside 10.1.0.0 255.255.128.0 10.0.0.2 1
route inside 10.3.0.0 255.255.240.0 10.0.0.2 1
route inside 10.5.0.0 255.255.252.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.10.9 255.255.255.255 DMZ
http 10.0.0.9 255.255.255.255 inside
http 172.16.0.0 255.255.255.248 MGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 172.16.0.2 255.255.255.255 MGT
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.0.2-172.16.0.6 MGT
dhcpd dns 198.6.1.5 interface MGT
dhcpd enable MGT
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:9c577be224a2cb3c98f0e7ecd797436e
: end
xyzabc# sh xlate
3 in use, 2070 most used
Global XX.XXX.XX.90 Local 10.10.10.6
Global XX.XXX.XX.83 Local 10.10.10.5
Global XX.XXX.XX.84 Local 10.10.10.3
xyzabc# sh xlate
11 in use, 2070 most used
Global XXX.XXX.XX.90 Local 10.10.10.6
Global XX.XXX.XX.83 Local 10.10.10.5
Global XX.XXX.XX.84 Local 10.10.10.3
PAT Global XXX.XXX.XX.87(1063) Local 10.1.0.9(3552) 
PAT Global XXX.XXX.XX.87(1059) Local 10.1.0.9(58957) 
PAT Global XXX.XXX.XX.87(1062) Local 10.1.0.9(3551) 
PAT Global XXX.XXX.XX.87(1058) Local 10.1.0.9(57605) 
PAT Global XXX.XXX.XX.87(1061) Local 10.1.0.9(3550) 
PAT Global XXX.XXX.XX.87(1057) Local 10.1.0.9(54839) 
PAT Global XXX.XXX.XX.87(1060) Local 10.1.0.9(3549) 
PAT Global XXX.XXX.XX.87(1056) Local 10.1.0.9(49867) 
xyzabc# sh route
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is XX.XXX.XX.81 to network 0.0.0.0
 
C    172.16.0.0 255.255.255.240 is directly connected, MGT
C    XX.XXX.XX.80 255.255.255.240 is directly connected, outside
C    10.3.0.0 255.255.240.0 is directly connected, Corporate
C    10.0.0.0 255.255.255.240 is directly connected, inside
C    10.10.10.0 255.255.255.240 is directly connected, DMZ
C    10.1.0.0 255.255.128.0 is directly connected, Standard
C    10.6.0.0 255.255.255.224 is directly connected, Main
C    10.6.1.0 255.255.255.248 is directly connected, HN
C    10.6.2.0 255.255.255.192 is directly connected, Staff
C    10.4.0.0 255.255.128.0 is directly connected, VOIP
C    10.6.3.0 255.255.255.240 is directly connected, TMDE
C    10.5.0.0 255.255.252.0 is directly connected, Equipment
C    10.6.0.32 255.255.255.240 is directly connected, CW
S*   0.0.0.0 0.0.0.0 [1/0] via 77.246.72.81, outside
xyzabc# sh conn
6 in use, 4255 most used
TCP out 75.65.216.108:6667 in 10.10.10.6:1225 idle 0:00:02 bytes 2284506 flags UIO
TCP out 74.125.95.102:80 in 10.1.0.9:3552 idle 0:00:03 bytes 762 flags UFRIO
TCP out 207.46.192.254:80 in 10.1.0.9:3549 idle 0:00:35 bytes 1582 flags UIO
WISP-ASA# sh perfmon
 
PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCP Intercept        0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
xyzabc# sh int
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
	MAC address 001e.f762.9570, MTU 1500
	IP address XX.XXX.XX.93, subnet mask 255.255.255.240
	1881799 packets input, 1319211423 bytes, 0 no buffer
	Received 23725 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	1181707 packets output, 177008162 bytes, 0 underruns
	0 output errors, 0 collisions, 6 interface resets
	0 late collisions, 0 deferred
	0 input reset drops, 0 output reset drops
	input queue (curr/max packets): hardware (0/17) software (0/0)
	output queue (curr/max packets): hardware (0/6) software (0/0)
  Traffic Statistics for "outside":
	18179 packets input, 9086736 bytes
	11112 packets output, 813789 bytes
	3433 packets dropped
      1 minute input rate 0 pkts/sec,  231 bytes/sec
      1 minute output rate 0 pkts/sec,  16 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  387 bytes/sec
      5 minute output rate 0 pkts/sec,  36 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/1 "", is administratively down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	Auto-Duplex, Auto-Speed
	Available but not configured via nameif
	MAC address 001e.f762.9571, MTU not set
	IP address unassigned
	0 packets input, 0 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	0 packets output, 0 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 late collisions, 0 deferred
	0 input reset drops, 0 output reset drops
	input queue (curr/max packets): hardware (0/0) software (0/0)
	output queue (curr/max packets): hardware (0/0) software (0/0)
Interface GigabitEthernet0/2 "inside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.0.0.1, subnet mask 255.255.255.240
	1152565 packets input, 177452838 bytes, 0 no buffer
	Received 49251 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	1645918 packets output, 1061022910 bytes, 7 underruns
	0 output errors, 324 collisions, 10 interface resets
	0 late collisions, 15 deferred
	0 input reset drops, 0 output reset drops
	input queue (curr/max packets): hardware (3/33) software (0/0)
	output queue (curr/max packets): hardware (0/5) software (0/0)
  Traffic Statistics for "inside":
	5895 packets input, 639799 bytes
	5611 packets output, 4809065 bytes
	1093 packets dropped
      1 minute input rate 0 pkts/sec,  4 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  37 bytes/sec
      5 minute output rate 0 pkts/sec,  245 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/2.110 "Main", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 11
	Description: Main Office Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.6.0.3, subnet mask 255.255.255.224
  Traffic Statistics for "Main":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.120 "CW", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 12
	Description: CW Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.6.0.35, subnet mask 255.255.255.240
  Traffic Statistics for "CW":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.130 "HN", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 13
	Description: HN Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.6.1.3, subnet mask 255.255.255.248
  Traffic Statistics for "HN":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.140 "TMDE", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 14
	Description: TMDE Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.6.3.3, subnet mask 255.255.255.240
  Traffic Statistics for "TMDE":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.200 "Standard", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 2
	Description: Standard Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.1.0.3, subnet mask 255.255.128.0
  Traffic Statistics for "Standard":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.300 "VOIP", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 3
	Description: VOIP Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.4.0.3, subnet mask 255.255.128.0
  Traffic Statistics for "VOIP":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.500 "Corporate", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 5
	Description: Corporate Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.3.0.3, subnet mask 255.255.240.0
  Traffic Statistics for "Corporate":
	1 packets input, 40 bytes
	1 packets output, 40 bytes
	1 packets dropped
Interface GigabitEthernet0/2.600 "Equipment", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 6
	Description: Equipment Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.5.0.3, subnet mask 255.255.252.0
  Traffic Statistics for "Equipment":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/2.700 "Staff", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	VLAN identifier 7
	Description: Staff Interface
	MAC address 001e.f762.9572, MTU 1500
	IP address 10.6.2.3, subnet mask 255.255.255.192
  Traffic Statistics for "Staff":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
Interface GigabitEthernet0/3 "DMZ", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
	Description: DMZ Interface
	MAC address 001e.f762.9573, MTU 1500
	IP address 10.10.10.1, subnet mask 255.255.255.240
	1116010 packets input, 79427748 bytes, 8440 no buffer
	Received 7009 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	1081713 packets output, 179228376 bytes, 4639 underruns
	0 output errors, 0 collisions, 5 interface resets
	0 late collisions, 0 deferred
	0 input reset drops, 0 output reset drops
	input queue (curr/max packets): hardware (1/33) software (0/0)
	output queue (curr/max packets): hardware (0/3) software (0/0)
  Traffic Statistics for "DMZ":
	6794 packets input, 1070221 bytes
	9756 packets output, 3530205 bytes
	729 packets dropped
      1 minute input rate 0 pkts/sec,  10 bytes/sec
      1 minute output rate 0 pkts/sec,  131 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  7 bytes/sec
      5 minute output rate 0 pkts/sec,  96 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Management0/0 "MGT", is up, line protocol is up
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
	Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
	MAC address 001e.f762.956f, MTU 1500
	IP address 172.16.0.1, subnet mask 255.255.255.240
	69436 packets input, 4754010 bytes, 0 no buffer
	Received 1777 broadcasts, 0 runts, 0 giants
	23 input errors, 0 CRC, 0 frame, 23 overrun, 0 ignored, 0 abort
	0 L2 decode drops
	60385 packets output, 21204383 bytes, 0 underruns
	0 output errors, 0 collisions, 0 interface resets
	0 babbles, 0 late collisions, 0 deferred
	0 lost carrier, 0 no carrier
	input queue (curr/max packets): hardware (0/1) software (103/187)
	output queue (curr/max packets): hardware (128/128) software (5848/5848)
  Traffic Statistics for "MGT":
	69196 packets input, 3441005 bytes
	66244 packets output, 20346909 bytes
	11197 packets dropped
      1 minute input rate 82 pkts/sec,  3327 bytes/sec
      1 minute output rate 91 pkts/sec,  4386 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 4 pkts/sec,  214 bytes/sec
      5 minute output rate 3 pkts/sec,  862 bytes/sec
      5 minute drop rate, 0 pkts/sec
	Management-only interface. Blocked 5390 through-the-device packets

Open in new window

0
Comment
Question by:demetri08
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22652847
a cisco 2651 is a router, an asa is a security device or firewall, you maybe using device as a router in which it is not made to be a router or handle that type of traffic.
You should replace you 2651 router with another router in front of your firewall.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22652848
just my 2 cents.
0
 

Author Comment

by:demetri08
ID: 22652899
understood, but the ASA should be capable of the routing and NATing required to take over the functions of the existing router.....
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 22655793
Suggest re-doing the nat and globals

---- current ----
global (outside) 101 77.246.72.87 netmask 255.0.0.0
global (outside) 101 77.246.72.88 netmask 255.0.0.0
global (outside) 101 77.246.72.85 netmask 255.0.0.0
global (outside) 101 77.246.72.86 netmask 255.0.0.0
global (outside) 101 77.246.72.89 netmask 255.0.0.0
global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0
nat (inside) 202 access-list inside_nat_outbound
nat (inside) 101 10.6.1.0 255.255.255.248
nat (inside) 101 10.6.0.32 255.255.255.240
nat (inside) 101 10.6.3.0 255.255.255.240
nat (inside) 101 10.6.0.0 255.255.255.224
nat (inside) 101 10.6.2.0 255.255.255.192
nat (inside) 101 10.5.0.0 255.255.252.0
nat (inside) 101 10.3.0.0 255.255.240.0
nat (inside) 101 10.1.0.0 255.255.128.0


---- proposed ----I hope you see the pattern and understand that there is a nat to match each global, and nat is attached to the appropriate interface

global (outside) 101 77.246.72.87
global (outside) 102 77.246.72.88
global (outside) 103 77.246.72.85
global (outside) 104 77.246.72.86
global (outside) 105 77.246.72.89
global (ourside) 100 interface
global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0
nat (inside) 202 access-list inside_nat_outbound
nat (CW 101 10.6.1.0 255.255.255.248
nat ( ?? ) 102 10.6.0.32 255.255.255.240
nat (TMDE) 103 10.6.3.0 255.255.255.240
nat (Main) 104 10.6.0.0 255.255.255.224
nat (Staff) 105 10.6.2.0 255.255.255.192
nat (Equipment) 100 10.5.0.0 255.255.252.0
nat (Corporate) 100 10.3.0.0 255.255.240.0
nat (Standard) 100 10.1.0.0 255.255.128.0
0
 

Author Comment

by:demetri08
ID: 22656912
OK, did that and will try it out soon. any other areas of the config that would be advisable to re-do? Thanks....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22658609
I hope your transparent proxy and the Packeteer support trunking through them and can see all of the vlans.

You have static routes to networks that are directly connected. You can remove these
route inside 10.1.0.0 255.255.128.0 10.0.0.2 1
route inside 10.3.0.0 255.255.240.0 10.0.0.2 1
route inside 10.5.0.0 255.255.252.0 10.0.0.2 1

To route between interfaces you going to have to disable nat control
  no nat-control

0
 

Author Comment

by:demetri08
ID: 22659136
for the networks that are 'directly connected' they are actually vlans that are directly connected to the 4503 which is 10.0.0.2 (in the native vlan for the Inside interface of the ASA). i thought this was required for routes that are not directly connected. i'm clearly not understanding this...also, when i try to remove them, it says i connot remove a route that is directly connected...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22660772
If you have an interface, such as vlan subifs on the asa, you should not add static routes pointing those networks to somewhere else.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22665534
That's correct. The ASA can have several different kinds of routes and it determines which one to use first for a particular location based on its "administrative distance" (which basically means reliability). When you have a network that is defined on the ASA (such as a VLAN or subinterface), that is counted as a CONNECTED (or local) route. Other types such as static and others fall into place after this. If you have a network defined in one of the above ways, it has a route in the ASA by default.
You can view currently active routes by running a sh route command.
Cheers! Let me know if you have any questions!
0
 

Author Comment

by:demetri08
ID: 22666052
OK. I originally had the networks configured as static routes back to 10.0.0.2, the gateway for them--and I did not have them configured as VLANs/subinterfaces. I made that change after seeing a large number of L2 decode drops on the Inside interface. So, I'll keep them as vlans and remove the routes I added....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22666224
Cool! Any questions?
0
 

Author Comment

by:demetri08
ID: 22678285
i did everything advised, but still had issues when i connected it to the transparent bandwidth manager/proxy and 4503 L3 Switch. I now have it connected to the switch directly and am using a test subnet to try and troubleshoot. I set different macs or each vlan/subinterface on g 0/2. This impacted it, as i immediately saw more hosts/broadcats on the asdm log. any way to check whether my switch supports the sharing of one mac for multiple vlans? also, must i have security license plus to support mode? with the subinterfaces configured as they are it has the correct native vlan and all other vlans match up. however, i guess this won't do much if it doesn't trunk/tag the vlans. thanks in advance....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22679758
which switch is it?
Also, 5520 doesn't have a security plus license - those features are already there.
As far as VLANs and subinterfaces on the ASA go, it's usually easier to have as few as possible interfaces on the ASA (use VLANs only for traffic management such as DMZ/inside/etc) because it causes complications.
Try to put all of your VLANs on your switches only and then either put in static routes on the ASA for those VLANs or run a dynamic routing protocol like EIGRP, OSPF, or RIP.
V. 8.x of ASA software will run those protocols, 7.x will only run RIP and OSPF.
Cheers! Let me know if you have any questions!
 
0
 

Author Comment

by:demetri08
ID: 22679949
ok I'll try that now. I had it that way before, but i was getting a large amount of L2 decode errors. Any insight as to why that would be? they were all errors on the Inside interface (inside=physical interface where all the vlans were setup as subinterfaces).

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22682719
Hmmm... interference with the cables maybe? Bad cables? Duplex mismatches?
What kind of switch?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question